VYPR

pypi · Malicious package advisory

Malware

fastercode

MAL-2026-6206

Malicious code in fastercode (PyPI)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (14de4534d4cf2290f5f54bc5929fa799b73dff2e6a03aa879ade141dfc6ea054)
The package advertises itself as a Python performance helper ("Make your Python code run faster") and exposes a single public function `run()`. On Windows, calling `run()` fetches `BackgroundSyncService.exe` from `https://raw.githubusercontent.com/manhhungdev0603/kl.py/refs/heads/main/BackgroundSyncService.exe`, writes it to `%PROGRAMDATA%\BackgroundSyncService\`, and launches it via `subprocess.Popen([local_filepath], shell=True)` (fastercode/core.py:7-22). The source URL is a mutable branch reference on a personal GitHub account; the repo is named `kl.py` (suggestive of "keylogger.py"); the binary is unsigned, unpinned, and unrelated to the package's advertised purpose. All exceptions during download/execute are swallowed silently. Package metadata lists `author="Anonymous"` with no email or homepage, consistent with a throwaway publish account. Any developer who imports fastercode and calls its only public API on Windows runs an attacker-controlled executable persisted under PROGRAMDATA.

## Source: kam193 (1c2793304d30de27278e36f79685e9ca60f9f839d7a27d2ea39d8d22e36a8584)
The package contains code to download and run a malicious executable. The executable contains a remote access trojan controlled via Telegram bot, with capabilities like a keylogger, screen recording, command execution. It also attempts to gain persistence via startup registry keys.


---

Category: MALICIOUS - The campaign has clearly malicious intent, like infostealers.


Campaign: 2026-06-fastercode


Reasons (based on the campaign):


 - Downloads and executes a remote executable.


 - peristence-autorun


 - uses-telegram-bot


 - keylogger


 - rat


 - spyware-like

Compromised versions (3)

  • 0.1.0
  • 0.1.1
  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.